An ad-verification company has uncovered multiple hacker networks involved in auto-redirect attacks with payloads of mobile click fraud, tech support scams, and malicious installations. GeoEdge estimates the scam could cost publishers and advertisers $1.13 billion annually.
GeoEdge identified seven distinct classes of redirect attacks as well as major hacker networks. These families of attacks, and the hacker networks that use them, are responsible for hundreds of millions of monthly impressions.
In a few of the attacks, the auto-redirect was taking the user out of the browser and into app stores. The redirect method in mobile devices usually redirects to the App Store or Google Play Store rather than simply mimicking the usual desktop tricks.
GeoEdge also found evidence of click fraud. The mobile browser opens multiple invisible iframes and calls multiple URLs and ultimately executes fraudulent clicks. In this particular attack, GeoEdge identified a whitelist of hundreds of domains where the attack would actually occur. The ad loads a script from Amazon AWS S3 and checks the domain to see whether it should execute. If the specific domain is on the whitelist, the code will embed hidden iframes in the browser and click on the ads, according to GeoEdge's security research, titled Auto-Redirects.
Broken down by damages, auto-redirects cost the advertising industry an estimated $210 million annually and another $920 million through ads with click fraud.
Hidden redirects are programmed to run click-fraud campaigns. The report, which analyzes about 650 million impressions, delves into redirects, evasive tactics, and how to discover redirect code.
Auto-redirects make up 48% of malvertising events, with malicious URL pre-click far behind at 18%. The U.S. accounts for 48% of auto-redirects -- nearly five times as many as Canada, which comes at No. 2, and Australia at No. 3.
About 27% of malvertising events occur on desktops and 72% on mobile devices, with 57% on Apple iOS and 15% on Google Android.
Notifications that look like they come from Google or Apple falsely alert users that their devices are infected or that they have been given a free iPhone, pushing them to download malware or dial a scam number.
The schemes are similar to those used for non-redirecting attacks, but by taking users to an entirely separate window rather than a banner ad, the scam appears to be more legitimate.
For example, a webpage that is wholly constructed to look like Microsoft’s site can seem more genuine than a simple banner ad. Attacking banks is difficult, while replicating a bank’s web page and getting users to hand over their info is comparatively easy.
To mobile users, a "System Warning!" in the pop-up notification style that appears to come from the search engine or publisher's site can seem too real to ignore. This makes mobile redirects particularly effective for click fraud and for phishing and mining personal data.
The hacker networks identified by GeoEdge redirected users to nearly a dozen apps in the App Store and Google Play Store, including the Star Wars: Galaxy of Heroes game made by Electronic Arts.